arstechnica.com
Open in
urlscan Pro
3.131.184.180
Public Scan
URL:
https://arstechnica.com/security/2023/10/google-hosted-malvertising-leads-to-fake-keepass-site-that-looks-genuine/
Submission: On October 19 via manual from MA — Scanned from DE
Submission: On October 19 via manual from MA — Scanned from DE
Form analysis 1 forms found in the DOM
GET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme light dark Sign in SEEING AIN'T BELIEVING — GOOGLE-HOSTED MALVERTISING LEADS TO FAKE KEEPASS SITE THAT LOOKS GENUINE GOOGLE-VERIFIED ADVERTISER + LEGIT-LOOKING URL + VALID TLS CERT = CONVINCING LOOK-ALIKE. Dan Goodin - 10/19/2023, 6:50 AM Enlarge Miragec/Getty Images READER COMMENTS 82 with Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it. Enlarge / Screenshot of the malicious ad hosted on Google. Malwarebytes Looking at the ad, which masquerades as a pitch for the open source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which, when viewed in an address bar, appears to be the genuine Keepass site. Enlarge / Screenshot showing keepass.info in the URL and Keepass logo. Malwarebytes A closer look at the link, however, shows that the site is not the genuine one. In fact, ķeepass[.]info—at least when it appears in the address bar—is just an encoded way of denoting xn--eepass-vbb[.]info, which, it turns out, is pushing a malware family tracked as FakeBat. Combining the ad on Google with a website with an almost identical URL creates a near-perfect storm of deception. “Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post Wednesday that revealed the scam. Advertisement Information available through Google’s Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google. Enlarge / Screenshot of Google Ad Transparency page displaying information for Digital Eagle, Inc. Malwarebytes Google representatives didn’t immediately respond to an email, which was sent after hours. In the past, the company has said it promptly removes fraudulent ads as soon as possible after they’re reported. The sleight of hand that allowed the imposter site xn--eepass-vbb[.]info to appear as ķeepass[.]info is an encoding scheme known as punycode. It allows unicode characters to be represented in standard ASCII text. Looking carefully, it’s easy to spot the small comma-like figure immediately below the k. When it appears in an address bar, the figure is equally easy to miss, especially when the URL is backed by a valid TLS certificate, as is the case here. FURTHER READING Chrome, Firefox, and Opera users beware: This isn’t the apple.com you want Punycode-enhanced malware scams have a long history. Two years ago, scammers used Google ads to drive people to a site that looked almost identical to brave.com, but was, in fact, another malicious website pushing a fake, malicious version of the browser. The punycode technique first came to widespread attention in 2017, when a Web-application developer created a proof-of-concept site that masqueraded as apple.com. There’s no sure-fire way to detect either malicious Google ads or punycode encoded URLs. Posting ķeepass[.]info into all five major browsers leads to the imposter site. When in doubt, people can open a new browser tab and manually type the URL, but that’s not always feasible when they’re long. Another option is to inspect the TLS certificate to make sure it belongs to the site displayed in the address bar. READER COMMENTS 82 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2023 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Manage Preferences The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices We and our partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.More information about your privacy WE AND OUR PARTNERS PROCESS DATA TO PROVIDE: Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised ads and content, ad and content measurement, audience insights and product development. List of Partners (vendors) I Accept Show Purposes